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Abstract 

The logic of hereditary Harrop formulas (HH) has proven useful for specifying a wide range of formal 
systems. This logic includes a form of hypothetical judgment that leads to dynamically changing sets of 
assumptions and that is key to encoding side conditions and contexts that occur frequently in structural 
operational semantics (SOS) style presentations. Specifications are often useful in reasoning about the 
systems they describe. The Abella theorem prover supports such reasoning by explicitly embedding 
the specification logic within a rich reasoning logic; specifications are then reasoned about through this 
embedding. However, realizing an induction principle in the face of dynamically changing assumption sets 
is nontrivial and the original Abella system uses only a subset of the HH specification logic for this reason. 
We develop a method here for supporting inductive reasoning over all of HH. Our approach takes advantage 
of a focusing property of HH to isolate the use of an assumption and the ability to finitely characterize 
the structure of any such assumption in the reasoning logic. We demonstrate the effectiveness of these 
ideas via several specification and meta-theoretic reasoning examples that have been implemented in an 
extended version of Abella. 

1 Introduction 

Computational systems are often presented and reasoned about through descriptions in the structural 
operational semantics (SOS) style. We are concerned here with a formalization of this process. A first 
requirement towards this end is a logical framework that can be used to make precise the content of SOS 
style presentations. To be suited to this task, the framework must satisfy certain criteria: it should facilitate 
the description of relations in a rule-based fashion, it should support the treatment of syntactic objects that 
incorporate binding notions, and it should provide a means for formalizing side conditions and (changing) 
contexts that are often part of SOS style rules. Past work, such as that described in ||T3l , has demonstrated 
that these requirements are adequately met by a logic programming language equipped with the ability to 
use (typed) /l-terms as data structures and the capability of treating universal and hypothetical judgments as 
goals. The logic of hereditary Harrop formulas (HH) that has come out of such work has in fact been used 
successfully in a variety of formalizations in areas such as programming languages, process calculi and proof 
systems. 

Informal reasoning based on SOS style presentations often accords them an inductive, closed-world 
reading. This is in contrast to the usual interpretation of logic programming specifications: the meaning 
of a relation can always be extended by the addition of new assertions. In order to use such specifications 
effectively in formalized reasoning, it is necessary to somehow treat them instead as fixed point definitions. 
One way of doing this is by directly enriching the specification logic. Another approach, called the two-level 
logic approach \7 , 10 1, is to embed the specification logic in a second reasoning logic in a way that results 
in the specifications being given the desired inductive interpretation. This is the approach we adopt here. 
The specific reasoning logic that we will use is called 16J ; this logic brings together a collection of ideas 
developed towards providing a foundation for this approach ||9l[l4,2QJ. provides a means for associating 
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fixed-point definitions with atomic predicates. The two-level logic approach is realized in its setting by 
encoding derivability in HH as an inductive predicate. The closed-world reading of specifications results then 
from the inductive treatment of the derivations that can be carried out from them. 

There are several benefits to the two-level logic approach, chief among them being the ability to prove 
and use properties of the specification logic in reasoning. These benefits have been demonstrated through 
the implemented Abella system miS). There is, however, a difficulty in using the full expressive power 
of HH specifications in this form of reasoning. Typical arguments based on such specifications involve 
induction on derivations from them in the underlying logic. However, many specifications, especially ones 
concerning objects that manifest binding structure, make use of universal and hypothetical judgments, leading 
to derivations in the specification logic in which the assumption sets are changing. This complicates the form 
of inductive arguments since new ways of proving assertions become available as the derivation proceeds. 
The original Abella system restricts the permitted HH specifications to a form where only atomic assertions 
can be added to an existing program for this reason: this restriction allows the additional atomic assertions 
that can be proved to be characterized via a simple definition in the reasoning logic that can be used in the 
inductive proof. 

This paper develops a general method for overcoming the above-mentioned difficulty, thereby facilitating 
reasoning over specifications that use the full power of HH. The method we present is based on three key 
observations. First, derivations in HH use assumptions in a focused fashion: to be useful in constructing a 
proof, an assumption must match an atomic judgment that is to be shown in a specific way and then leads 
immediately to new atomic judgments that must be proved. Thus, an inductive analysis of derivations can 
pick a generic formula from a set of assumptions and proceed based only on its structure, without having to 
consider an interleaved processing of varied assumptions. Second, all the assertions that are added arise from 
a fixed original specification. Thus, the structure of these assertions can be finitely characterized, leading 
thereby to a bounded case analysis in an argument that is inductive over HH derivations. Finally, definitions 
in the reasoning logic provide the power to describe the structure of the assumptions that can be dynamically 
added and to prove properties about these additions that are useful in the reasoning process. 

The ideas that we have outlined above are conceptually simple, yet they lead to elegant and effective 
reasoning techniques related to specifications that include embedded implications, i.e., to higher-order 
specifications. We demonstrate this fact in the rest of the paper by describing an extended Abella system that 
embodies them and exhibiting its power through a varied collection of reasoning examples. The next two 
sections develop the context for the work by describing the HH logic and its embedding within the reasoning 
logic in more detail; the latter description builds the focused treatment of assumptions into the structure 
previously existing in Abella. Section |4] then discusses the process of reasoning about HH specifications 
in this (extended) framework. In particular, it highlights the difficulty in inductive reasoning arising from 
dynamically changing assumption sets and exhibits our method for overcoming this difficulty. Section |5] 
illustrates our ideas through two further examples, one pertaining to subtyping in Fsub ill] [171 and another 
concerning the analysis of reduction in the /l-calculus. We conclude the paper in Section|6]with a discussion 
of related work. 

2 The Specification Logic 

The logic HH is a predicative fragment of Church's Simple Theory of Types [2J. The expressions of HH are 
simply typed /i-terms. The types are determined by the function type constructor, denoted by — > and written 
as an infix, right associative operator, from a collection of primitive types. The primitive types are determined 
by the user relative to each specification but must include o, the type corresponding to propositions, and at 
least one other type. Terms are constructed as usual from an (initial) user-provided signature that identifies 
constants with specific types. We write E h f : t to denote that f is a well-formed term of type t relative to 
the signature E. Well-formed terms of type o are called T.-formulas or just formulas when the signature is 
implicit. Equality between terms is determined by the rules of a-, /3-, and ?7-conversion. 

Logic is introduced into this background through a set of constants that are given a special status via 
inference rules. The logical constants in the HH setting are the implication and conjunction symbols and 
& of type o — » o — » o and, for every type t not containing o, the (generalized) universal quantifier Ylj of 
type (t — > o) — > o. An atomic formula, denoted by A possibly with a subscript, is one that does not have a 
logical constant as its head symbol. We write and & in infix form, treating the former as right and the 
latter as left associative. We often omit the type subscript r from Ylj. We also use the abbreviations YIx:t. F 
for n {Ax:t. F) and Ilx\ :t\, . . . , x„:t„. F for Hxi :t[. ... nx„:T„.F. Finally, we write Tlx. F for YIx'.t. F when 
the type is irrelevant or can be inferred from context. 
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Asynchronous rules 

£; r, F h G i:;rhGi Z;r\-G2 ^ jc i ^, c\T\ r h (G c) 

ZS^F^G^'^ i:;rhGi&G2 " ILSyYlrG 

Synchronous rules 

I; r h G Z; r. [F] h 4 £; F, [F,] h A £ h f : r £; F, [f f] h A 

Z; r, [G ^ F] h A 5:;r, [Fi&F2]hA Z; T, [H^ F] h A 

Structural rules (f- g ^ j;. p j ^ ^ 

ETrUAFA'"'' I^>A dec'd^ 

Figure 1: Rules for HH. In &l, ; € {1,2). 

The HH proof system is given in the form of a focused sequent calculus that can be seen as a suitable 
(logical) fragment of the system LJF from ||8l. Sequents in this calculus are of two kinds. Asynchronous 
sequents are of the form E; F h G where E is a signature, F is a multiset of formulas that form the assumptions 
of the sequent and will be called the program clauses, and G is an arbitrary formula called the goal of the 
sequent. Synchronous sequents are of the form E; F, [F] h A, where E and F are as before, A is an atomic 
formula, and F is an arbitrary formula called the/ocM.s. 

Fig. [T] contains the inference rules of HH. Reading the rules as a computation of premise sequents 
from goal sequents, the asynchronous rules decompose the goal in an asynchronous sequent — using right- 
introduction rules — until it becomes atomic. Then, the decide rule is used to select a single program clause 
for the focus of a synchronous sequent. The synchronous rules, which are left-introduction rules, are then 
used to decompose the focus. Eventually, when the focus is an atomic formula (called the head of its parent 
program clause), it will be matched to the goal using the init rule, finishing the (branch of the) proof. 

The HH language supports a higher-order approach to representing syntactic structure |fT2l [T5;| that is also 
known as /l-tree syntax IfTTll . Abstractions in the simply typed /i-terms of HH are used to encode binding 
operators present in formal objects. For example, consider representing (untyped) /i-terms in HH. We identify 
a type tm for such terms and add the term constructors as two signature constants app : tm — > tm — > tm 
and abs : (tm — > tm) — > tm. We can then define an encoding of /I- terms as terms of type tm in the 
natural way; for example, ''Ax. Ay. = abs(/lx. abs{Ay. appxy)). The binding character of abstractions 
in the (object-level) /l-terms is captured by abstractions in HH. The object-level notions of a-conversion 
and capture-avoiding substitution are realized directly in terms of the same operations in HH. The logical 
understanding of binding available through such a representation also simplifies the process of reasoning 
about specifications as we see later. 

We are ultimately interested in formalizing object-level relations that are presented in a structural 
operational semantics (sos) style. Each such relation is formalized as an atomic formula of HH, and its rules 
are specified as program clauses added to the initial goal sequent. For example, assume an (object-level) 
primitive type b and consider the typing relation over /l-terms that is described by the following rules: 

g), x:S >M:T <S>>M:S^T ^>N -.S 

<i,x:T>x:T <i>> Ax. M : S T <t>>MN:T 

The expression <I> > M : T is used here to denote the judgment that M has type T in a context <I> that 
assigns types to the free variables of M. The rule for typing abstractions has an implicit proviso that x 
does not already appear in the domain of <I>. To encode these rules in HH, we first represent the object 
types. Let ty be this (HH) type representing object types, and let the signature contain two constants b : ty 
and arr : ty — > ty — > ty to represent the basic types and function types respectively. Let '~T~' stand for 
the encoding of types as terms of type ty. The typing relation M : T is realized by the atomic predicate 
of : tm ^ ty — > o in the signature. The typing rules can be translated into the following program clauses 
for the of predicate. 

ofM(arr5 F) ^ ofA'S ^ o£(appMA')r (Ri) 
(Ux.ofxS ^ o£(Mjc)r) ^ o£(absM)(arr5 F) (R2) 

We use the convention here and elsewhere of indicating the outermost Fl-prefix in clauses implicitly by using 
upper-case letters for the variables they bind. Let E be the signature described thus far and F be the above 
pair of clauses R\,R2- Then, the typing judgment xi:Ti, . . . ,x„:T„ > M : T is realized by the HH sequent: 
E; F, ofxi . . . , of x„ T,,'' h of '~M~' '~T~'. For instance, the judgment ■>Ax. Ay. (xy) : (b — > b) — > (b — > 
b) is represented by the HH sequent 

Z;r h o£ (abs (Ax. abs (Ay. (appxy)))) (arr (arr bb) (arr bb)). 

The context is not explicit in the representation of typing judgments, i.e., of is a relation between only 
a term and a type. Instead, the context is realized using an embedded hypothetical judgment in R2, the 
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(BxB') S;AhB S;A,B'hC (BxB') 
Z-A,B,B' S^ATC 

5,£,Chf:r S;A,BfhC (/i ^ S) (c = supp(fl)) S,h;A\-B{hc) 

(a e C \ supp(B)) S;A,BahC (ci e C \ supp(B)) S;Al-Bo 

S;A,V^Bl-C ^ S;Ah V^B ^'^ 

Figure 2: Selected rules of g'. 

program clause corresponding to abs. In the course of proof-search, such assumptions are accumulated as 
new program clauses for of corresponding to the bound variables. As an example, the HH derivation for the 
sequent above leads to 

E, z:tm, w:tm;r, o£z(arrbb), ofn'b h o£(appzM')b 

This sequent encodes typing a term with no abstractions in a typing context containing typing assumptions 
for the free variables of the term. 

3 The Two-Level Logic Approach to Reasoning 

Presentations in the SOS style are usually given a closed-world reading, wherein relations are considered to 
be characterized fully by the given inference rules. Thus, the rules shown earlier for the typing judgment 
for /l-terms are used not only to relate well-typed terms to their types, but also to argue that a term such as 
Ax. {xx) cannot be typed. The HH logic realizes only the positive part of such an interpretation. To provide 
a complete formalization of the intended meaning of SOS style rules, we use the logic 0\6 \ that supports 
fixed-point definitions. 

The basis for Q is also an intuitionistic and predicative version of Church's Simple Theory of Types. 
Types are determined in Q as in HH except that the type of formulas is prop rather than o. The logical 
constants of Q consist initially of T and ± of type prop; A, V and D of type prop — > prop — > prop; for 
every type r not containing prop, the quantifiers and 3^ of type (r — > prop) — > prop; and the equality 
symbol of type t — > t ^ prop. The proof system for Q is presented as a sequent calculus with sequents 
of the form E; A h C where A is a set of formulas {i.e., terms of type prop), C is a formula, and E contains 
the free eigenvariables in A and C. The treatment of fixed-point definitions in Q results in the eigenvariables 
being given an extensional interpretation; in other words, unfolding a definition on the left may instantiate 
some of the eigenvariables and introduce other eigenvariables. To provide the capability of reasoning about 
open /l-terms, which is necessary for many kinds of reasoning over /l-tree syntax, Q also supports generic 
reasoning. Specifically, for every type t not containing prop, Q includes an infinite set of nominal constants 
of type T, and a generic quantifier of type (t — > prop) — > prop 1 14]. We use C to denote the collection 
of all nominal constants, and assume that it is disjoint from the eigenvariables contained in E and the 
(logical and non-logical) constants contained in the signature, E. We write S, E, C i- f : t to mean that f is a 
well-formed term of type t all of whose free variables, constants, and nominal constants are drawn from the 
respective sets to the left of h. Like with HH, we often omit types and adopt the usual syntactic conventions 
for displaying the logical connectives. 

Nominal constants are used to simplify generic judgments in the course of proof search. A correct 
formalization of this idea needs two provisos: that quantifier scopes be respected and that judgments that 
differ only in the names of nominal constants be identified. Figure |2] contains a few rules of Q that show 
these conditions are realized}^ The essential feature of nominal constants is equivariance: two terms B and 
B' are considered to be equal, written B x B',if they are /l-convertible modulo a permutation of the nominal 
constants. We write supp(Z?) — called the support of B — for the (finite) collection of nominal constants 
occurring in B. The rules for V are the same on both sides of the sequent; in each case a nominal constant 
that doesn't already exist in the support of the principal formula is chosen to replace the V-quantified variable. 
In the Vr rule of Fig. [2] the eigenvariable is raised over the support of the principal formula; this is needed 
to express permitted dependencies on these nominal constants in a situation where later substitutions for 
eigenvariables will not be allowed to contain them. Note, however, that nominal constants may be used in 
witnesses in the rule. 

To accommodate fixed-point definitions, is parameterized by sets of definitional clauses. Each such 
clause has the form Vi. (Vz.A) = B where A is an atomic formula (called the head) whose free variables 
are drawn from x and I, and B is an arbitrary formula (called the body) whose free variables are also free 

'The full system can be found in |6|. 
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seqL(Gi & G2) - seqLGi A seqLG2 syncL(F| & ^2)^ - syncLFi A V sync Lf 2^4 

seqL(F ^ G) = seq(F : : L)G syncL(G ^ F)A = seqLG A syncLFA 

seqLillrG) = Vx:t. seq L(G.v) syncL(nrF)A = 3r:r. sync L (Ft) A 

seqLA = atomic A A member F L syncLAA = T 

A syncLFA 

Figure 3: Encoding of HH rules as inductive definitions in 0. 

in Vz. A. Each clause partially defines a relation named by the predicate in the head. In every definitional 
clause Vx. {Vz. A) = B, we require that suppCVz. A) - supp(Z?) = 0. Consistency of also requires predicate 
occurrences in the body of a clause to also satisfy certain stratification conditions that we do not discuss 
explicitly here for lack of space; see |6|. 

§ includes special rules for treating definitions. When an atom occurs on the right of a sequent, then 
any of the clauses with a matching head may be used to replace the atom by the corresponding body of the 
clause; in other words, clauses may be backchained on. Matching the head of a clause requires some care 
with regard to the quantifiers. To match the head of a clause Vx. (Vz. A) = B against the atom A', we look for 
a collection of nominal constants c and witness terms f that do not contain any of the elements of c such that 
[f/x, c/z]A A'. If these can be found, then A' is replaced on the right by [f/x]Z?. When an atom A occurs 
on the left in a sequent, for every clause and every way of unifying the head of the clause to that atom, a 
new premise is created with the corresponding body added to the context. This amounts to a case analysis 
over the clauses in a definition. Note that substitutions into the clause must respect the order of the V and V 
quantifiers at its head. Some of the eigenvariables may be instantiated in the premises thus created so the 
eigenvariable context should be modified to reflect the resulting changes. The final crucial component in Q 
is the ability to mark certain predicates as being inductive, whereby the set of clauses for that predicate is 
interpreted as a least fixed point definition. For lack of space, we do not describe the induction mechanism of 
here; see (6^, 7| for the details. 

The proof system HH can be represented as an inductive definition in Q. The resulting ability to 
reason inductively about derivations in HH then indirectly yields a similar reasoning ability for any SOS 
system that has been formalized in HH. The similarity in the terms and types of HH and Q permits a shallow 
representation of the former in the latter: every HH signature E is imported unchanged into Q. We additionally 
use the @ type olist to represent contexts as lists of HH formulas, with constructors nil : olist and 
( : : ) : o ^ olist olist and a standard definition of member : o — > olist — > prop. The asynchronous 
HH sequent F 1- G is encoded as the defined atom seq LG; likewise, the synchronous HH sequent F, [F] v- A 
is encoded as the defined atom sync L FA; in either case , L i s a list representation of F. The encoding of 
HH rules as clauses for seq and sync can be found in Fig. 3 ^ We use the standard notational convention of 
omitting the V-prefix on clauses and using upper-case letters to indicate V-bound variables. Compare Fig. [3] 
to Fig. [T] each inference rule of HH becomes a single definitional clause in Q. We will use the evocative 
notation [L 1- G) and {L, [F} h G) to stand for seq LG and sync L FA. We also use commas instead of : : 
in this notation, i.e., {L, F \-G) stands for seq {F : : L) G, etc. Meta-theorems of HH can be proven in in 
terms of this representation. 

Proposition 1. The following Q sequents, representing the properties of monotonicity, cut-admissibility, and 
instantiation for HH, are all derivable^ 

1. ■; • h VL, L', G. (VF. member F Ld member F L') D {L\- G\ D {L' \- G\. 

2. ■; ■ h VL, F, G. {L\-F}D {L, F h G) 3 {L h G). 

3. ■■,-\~\/L,G-yx-{Lx\~Gx}D\/t.{Lt\~Gt\. D 



4 Reasoning About HH Specifications 

Many interesting HH specifications have a higher-order nature. This complicates inductive reasoning because 
the context in an HH sequent can be extended dynamically when unfolding the definition of seq. In the 
framework described in the previous section, this problem can be dealt with by qualifying the theorem to be 
proved through a characterization of these dynamic extensions. We explain this method below through two 
examples. The first example highlights the mechanism of inductive reasoning in over HH derivations, and 
the second demonstrates the technique for dealing with dynamic extensions of the context. 

^The predicate atomic : — * prop used here holds only of atomic HH formulas. 
^The full proofs of these theorems in Abella can be found in Appendix A 
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Our first pedagogical example will be a simple property of determinacy of addition of natural numbers. 
Suppose we identify a type nat of natural numbers and add two constructors z : nat and s : nat — > nat and 
a predicate add : nat — > nat — > nat — > o to the signature. The add predicate defines addition relationally, 
containing the two program clauses addzA^A^ (named Z below) and addK MN ^ add(s K) M (sN) 
(named S below). We would like to prove that these program clauses entail that add is deterministic in its 
third argument. In terms of the encoding in Sec.|3] this amounts to proving the following formula: 

'ix,y,z, w. {hadd.vyz} D {hadd.vyw) D z = w. 

The fixed set of static program clauses is always assumed to be implicitly present in every HH sequent 
depicted using the {) notation in the rest of the paper. Thus, we omit the clauses Z and S to the left of i- in 
the theorem above. 

We prove this theorem by induction on the first assumption, {haddxyz). The only rule that applies to 
Z,S\- add X y z in HH is decide with the choices for the foci being the two program clauses Z and S . Focusing 
on Z gives us: 

(x = z) (y = n) {z = n) . . 

Z.5',[addzn«]haddA:yz '" jL 

Z,S,[nn. !iddznn]\- addxyz 

7 c decide 

Z, i h 3idd xyz 

Each rule above corresponds to unfolding one of the clauses in Fig. [3] The only way for the derivation to 
complete with this focus is if it finishes with init, which requires that x = z and y - z - n for some n:nat. 
This means that the second assumption of the theorem is {hadd znw}; the only way to prove this is by a 
decide on the program clause Z, because the head of S does not match the goal. Hence, it must be that 
w — n, so z — w. 

In the other case when the focus was on 5, we have: 

(x = sk) (y = m) (z = sn) . 
Z,S t-addkmn Z, S ,[add{s k) m(sn)] h addxv z'™l, 



Z,S, [Tlk,m,n. addkmn ^ add (s m (s n)] h add.vyz 

^ decide 



Z,5 h addxyz 

Once again, since the fourth premise must finish in init, it must be the case that x - s k, y - m, and z - sn, 
for some k, m, and n. We now have an additional § assumption {i-add^mn} that comes from the third 
premise of this derivation; moreover, it is a strict sub-derivation (because the associated measure is smaller) 
and hence may be used for the inductive hypothesis. By inversion on the second assumption of the theorem 
(focusing on S again), it must be the case that there is some n' such that w - sn' and {hadd A: mn'). By 
applying the inductive hypothesis, it must be that n - n' . Hence, z-sn-sn'-w. 

The general structure of such Q theorems is to perform an induction on the structure of a given seq 
assumption, written using {), followed by a case analysis of the ways in which it might have been derived 
in HH. In the simple addition example, the dynamic program context is never extended, and it suffices to 
consider applications of decide where the focus is one of the static program clauses. This guarantees a 
finite number of cases to consider whenever the definition of seq is unfolded. Obviously, case-analyses 
should remain finite even when reasoning about higher-order specifications. This can only be achieved if 
the dynamic program context can be finitely characterized and this characterization can be encoded in the 
reasoning framework. There is a general method for doing so for any given HH specification, which we 
illustrate with our next example. 

This example concerns the translation of /l-terms to De Bruijn form. To represent terms in De Bruijn form 
we introduce a new type dtm, and three signature constants dvar : nat — > dtm, dapp : dtm — > dtm — > dtm 
and dabs : dtm — > dtm. The dvar constructor is used to represent variable occurrences using De Bruijn 
indexes, which are the natural numbers defined previously. We describe the correspondence between an 
/l-term in the notation where bound variables are named and the De Bruijn form through the atomic formula 
hodHomhd where m:tm, t/:dtm and /i:nat; here h represents the number of /l-abstractions in scope. The 
predicate hodb with this property is defined by the following program clauses. 

hodb MHD^ hodb NHE^ hodb (app MN)H (dapp D E). (P) 
(n.v. (Hi, k. add Hki^ hodb x i (dvar k)) =^ hodb (M x) (s //) D) ^ 
hodb (absM)// (dabs D). (B) 

The relation defined above is deterministic in its first and third arguments, i.e., it constitutes an isomor- 
phism between the two representations of /l-terms. Suppose we want to prove in § that it is deterministic in 
its third argument, i.e., 

Vm, e. {hhodbm/i J) D {hhodbm /i e) D d = e. 
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If we try to prove this theorem by induction on one of the assumptions, Hke we did for add before, then we 
will get stuck when focusing on the program clause B. This case adds a new dynamic program clause, but the 
theorem as stated (and hence the induction) can only support an empty set of dynamic clauses. The remedy is 
to generalize the theorem to account for the dynamic clauses that may arise in the derivation being inducted 
over. That is, we look in the HH program clauses to find all the dynamic clauses that may be added when 
searching for a HH proof of P,B\- hodb mhd. Focusing on B for such a sequent looks as follows, where G is 
hodb (abs m) h (dabs d). 

x:V[S[;P,B,Tli,k. addhki =^ hodb .v i (dvar /;) h hodb (m a) (sh)d 

P, B h (Yli, k. add hki^ hodb .y ; (dvar k)) ^ hodb (m x)(sh)7l P, B, [G] h G 

RB, [fi]hG , .. 
-fVST^ decide 

The first premise has a new dynamic program clause. Repeating the analysis with proofs of this premise, we 
observe that applications of decide on this dynamic clause will not extend the dynamic context further Thus, 
all extensions of the dynamic context come from foci on B, and each such extension is with a program clause 
of the form Yli, k. add hki ^ hodb x / (dvar k) for some term hmat and for some signature extension x:tm. 

In 0, we can fully characterize such dynamic contexts in terms of an inductive definition ctx : olist — > 
prop with the following definitional clauses. 

ctx ni 1 = T (V-V. ctx ((rii, add Hki ^ hodb ,v i (dvar k)) : : L)) = ctx L. 

Note the occurrence of Vx at the head of the second clause in the definition of ctx: it guarantees that x does 
not occur in H or L. Therefore, in any L for which ctx L holds, it must be the case that there is exactly one 
such dynamic clause for each such x e supp(L). It is easy to establish this fact in terms of a pair of theorems 
in 0, both proven by induction on ctx. 

^L.E. ctxL D member E Ld 3x,h. E = (11!,^. addhki ^ hodb x i (dvar <:)) A name ,v. (xi) 
VL, jc, /i 1 , /72 . CtxL D member (Yli.k. add/ii ki => hodb .v (dvar <:)) L 

D member (Hi, k. add hi k i ^ hodb x i (dvar k)} Ld h[ = ho . Cf 2) 

In the predicate name : tm — > prop is defined by (Vx. name x) = T. Thus name x is true only if x is a 
nominal constant. 

We strengthen the determinacy theorem using ctx to the following]^ 

VL, m, h, d, e. ctx L D {L h hodb inhd] D {Ly hodb mhe] D d = e. 

Now, when we induct on one of the HH derivations, we can apply the induction hypothesis assuming that we 
can establish ctx for the extended dynamic context we encounter when unfolding the definition of seq. 

In analyzing HH derivations, we also have to consider the possibility of using the dynamically added 
clauses. It is possible to prove the HH goal hodb m h d that appears in the second assumption by focusing 
on an element of L using decide. In terms of the definition of seq (Fig. [3]l, this amounts to unfolding 
{L h hodibmhd) to yield 3F. member F L A {L, [F] \- hodh mhd). This does not mean that we have to 
generalize the theorem further to mention synchronous sequents. Rather, because ctxL and member F L, 
we can use the finite characterization of L in lemmas xi and xi to reveal the structure of F. It will be a 
clause with an atomic head, which allows us to unfold the sync definition fully and produce a collection of 
asynchronous (seq) premises. 

To summarize, to reason about a higher-order HH specification, we must first determine all the possible 
forms of the dynamic context extensions in a HH derivation of a sequent, then write a § definition of these 
dynamic contexts, and then strengthen the theorems to include this finite characterization of dynamic contexts 
as an additional assumption. Then, in the induction, we use this finite characterization of the dynamic clauses 
to make the case-analysis finite. 

5 Some Complex Examples of Higher- Order Reasoning 

We now present two further examples to demonstrate the generaUty of our approach to reasoning about 
higher-order HH specifications. Each example uses an inductive definition in to characterize program 
clauses that are added dynamically. Structural properties of these clauses are then proved as lemmas and 
used in the proofs of the main theorems. We highlight only the key applications of higher-order reasoning in 
the examples]^ 



The full development of this example in Abella can be found in Appendix [b] 
The full developments appear in Appendices[c|and[D| 
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5.1 Transitivity of Subtyping in System Fsub 

In IfTTll . a variant of the POPLMark challenge problem la of showing the transitivity of subtyping in system 
Fsub was presented using an elegant higher-order encoding of the subtyping rules in Twelf This development 
was proposed as a proof pearl because not only was the encoding natural but also the use of higher-order 
clauses allowed a succinct treatment of substitution in terms of function application in the meta-language. 
Substantially the same development can be achieved with HH and Q, which we demonstrate here with an 
Abella development that can be directly compared to the Twelf development in IfTTI . 

Briefly, the encoding of system Fsub types uses a type tp and the following signature constants: top : tp 
for the topmost type, arr : tp — » tp — » tp to represent function types S T, and all : tp — > (tp — > 
tp) — > tp to denote the bounded subtype-polymorphic type Va<5'. T. The subtyping relation < is represented 
by sub : tp ^ tp ^ o with the following program clauses. 

sub r top. (Si) 
subTi Si =f subS2 T2 =^ sub(arrSi S2)(arr Ti T2). (S2) 
sub 7"! S 1 ^ (na. (Uu, v. sub ait => sub uv ^ sub a v) => 

sub aa ^ sub a Ti => sub (S 2 «) (7*2 «)) => 

sub(allSiS2)(all7-i 7-2). (S3) 

The first two clauses and 5 2 are straightforward. In the third clause S3, the second assumption has 
embedded program clauses defining transitivity and reflexivity of sub-typing for the bound type a, and the 
fact that it is below Ti. Using these clauses, the statement of transitivity of subtyping in is as follows: 

VL, .V, qJ.ctxLD {Lb sub sq\ D {L\- sub qt] D {L\- sub .v f } 

Just as in Sec.|4j we finitely characterize the dynamic contexts L using a definition ctx : olist prop in 
terms of the following definitional clauses. 

ctx nil = T. (Va.ctx( suh aT :: suh a a : : 

{Till, V. sub au ^ sub u v => sub av) : : L)) = ctx L. 

Note that the V at the head in the second clause guarantees that a does not occur in T or L. This lets us derive 
that if ctxL and member E L hold, then E must be one of the forms added to the context in the second 
clause. 

The proof of transitivity proceeds by induction on the structure of the tp q (which requires an ancillary 
definition that we have elided here to simplify the presentation); for each form of q, the argument proceeds 
by case-analysis on the encoded HH sequent {L \- sub sq}. Most cases are straightforward and follow the 
structure of the example of Sec. |4] The only interesting case is when q has the form all qi q2, whence 
the case analysis on the assumption {L h sub (all si S2) (app qi q2)} produces a premise (corresponding to 
decide on the static program clause 5 3) 

[L, (Hh, v. sub an => sub u v => sub a v), sub a a, sub aqib sub (S2 a) (52 <^)] (*) 

where a is some nominal constant. However, in order to establish the conclusion {Lhsub (all qi q2) (all f 1 12)} 
using the inductive hypothesis we need to show: 

{L, (Flu, V. sub a u ^ sub u v ^ sub a v), sub a a, sub ati t- sub (,V2 a) (q2 a)\ (t) 

In usual formal proofs of transitivity of subtyping in system Fsub, at this point one needs to prove a narrowing 
lemma to relax the assumption sub a ^1 to sub at[. However, in our case we can deftly avoid this distraction 
by using the meta-theoretic properties we have proven about HH derivations in § (Thm.[T]l. In particular, we 
know that {(IIm, v. sub au ^ sub uv ^ sub a v), sub tiqi, sub ati \- sub a <7i ), so by cutting against (★) we 
obtain 

[L, (Flu, V. sub an => sub uv => sub a v), sub a a, sub a t[ , sub ti q[ h sub (^2 a) (q2 a)] (t) 

and since we can independently establish {L\- sub f 1 ^1 ) (by a different application of the inductive hypothesis), 
a second cut against ($) gets us to the desired form (t). The rest of the proof, particularly reasoning about 
the dynamic clauses, follows the outline of the example of Sec.|4] 

5.2 Preservation of /l-Paths by Beta-Reduction 

A path through a /l-term is a way to reach any non-binding occurrence of a variable in the term |fT3l Chap. 4.2]. 
In HH, we can identify a type p with paths with the following constructors in the signature: left, right : 
p — > p to descend to the function or the argument sub-trees in an application, and bnd : (p ^ p) — > p 
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to descend through a /l-abstraction. Crucially, bnd has the same binding structure as the /l-abstractions 
encountered along the path. The predicate path : tm — > path — > o asserts that a given /l-term contains a 
given path; it is defined by the following three program clauses. 

pathMP =^ path(appMW)(le£tP). pathNP =^ path (appM/V) (right P). 
(TLx, p. path xp ^ path (M x) (P p)) ^ path (abs M) (bnd P). 

As these paths record the specific structure of a A-tsim, jS-reduction changes the paths in the term. On the 
other hand, a path through the result of reducing app (abs (Ax. Mx)) N would be a path through M x with the 
additional proviso that any path through is also a path through the variable x. 

Suppose we want to compute the paths in a term that results from reducing certain marked y6-redexes. 
Formally, we can add a new constructor for marked redexes, beta : (tm — > tm) — > tm — > tm with the 
understanding that beta M denotes the same /l-term as app (abs M) N, except that the redex is marked. 
We can then define a relation bred : tm — > tm — > o that reduces all the marked j6-redexes in a term, with the 
following program clauses: 

bred MU ^ bred NV^hred (app M N) (app U V). 

(Rx. bred .v x ^ bred (M x) (U x)) ^ bred (abs M) (abs U). 

(Ux. (Uu.bredN u ^ bred a: m) ^ hred(M x)V) ^ bred (beta M A?) V( 

We also add a new program clause for paths through a marked redex. 

(IIa:. {Tlq. path Nq ^ path.r^) ^ path(Mjc)P) ^ path (beta MA?) P. 

Note that this HH specification has two dififerent higher-order formulations. Proofs of hredM U will 
add dynamic clauses involving bred, while proofs of pathMf will add dynamic clauses involving path. 
We would like to prove that bred preserves path, so the statement of the theorem would have to account 
for proofs of both kinds, and hence for both kinds of dynamic clauses. In many systems such as Twelf or 
Beluga, such a theorem would be proved in a common context containing both kinds of dynamic clauses. In 
ff, however, we can keep the two kinds of dynamic contexts separate, but relate them through a definition. 
The following definition of ctx2 : olist — > olist — > prop achieves this. 

ctx2 nil nil = T. (Vx./j. ctx2 (bredxx : : K){pathxp : : L)) = ctx2KL. 
(V.Y. ctx2((n!/.bredA'u =^ bredjcw) : : K) {{lip. path N p =^ pathjcp) ::/.)) = ctx2 K L. 

The ctx2 predicate not only defines the dynamic contexts, but says how any two such contexts are related. 
As before, the V-bound variables at the head guarantee that every variable has a unique dynamic clause in 
both contexts. The formula stating that bred preserves path is then as follows. 

'iK,L,m, u,p. ctx2 KL^{Ky bredmn) ^ {Lh pathm p) D {L h pathu p]. 



This theorem is proved by induction on [K h bredw u]. The technique outlined in Sec|4]and 5.1 works 



for most cases involving backchaining on the static program clauses. To handle backchaining on dynamic 
clauses, we will sometimes need lemmas such as the following: 

'iK,L,n,p.Va. ctx2 (Ka) (La) D member (Uq.pathnq ^ pathoij') (La) D 
{La h patha p) D {La h path;? p) 

Such an inversion property holds because, if the dynamic clause 11^. path n ^ => path a q occurs in L a, 
then it must be the sole clause in L a mentioning a. 

6 Conclusion 

We have presented an extension to the two-level logic framework that allows for the full richness of HH to be 
used in formalizing SOS style descriptions and we have exposed a method for reasoning about higher-order 
specifications in this enriched framework. We have validated our design and methodology by implementing 
an extended Abella system and by using it to develop a number of non-trivial examples of reasoning over 
higher-order specifications. 

There are three systems besides Abella that are, broadly speaking, based on a two-level or nested 
reasoning approach and support higher-order abstract syntax: Twelf (W], Beluga flS] and Hybrid JSj. 
Hybrid is limited to the second-order hereditary Harrop fragment for the specification level, which makes 
it largely similar to the earlier version of Abella described in Q. Beluga uses the LF type system for its 
object level and a dependently typed functional programming language for its meta-level. Instead of proving 
properties of relational specifications, in Beluga one writes recursive functions to manipulate LF data. To this 
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end, Beluga supports sophisticated reasoning about contextual terms, including a case-coverage checker for 
pattern-matching over such terms. However, Beluga lacks a termination checker, so it cannot verify that a 
recursive function proves a corresponding theorem. 

Of the three systems, only Twelf is designed to reason about higher-order relational specifications. It has 
been shown that specifications in the LF language of Twelf can be systematically and faithfully translated 
into HH |!l9|. The image of this encoding of an LF signature in HH uses higher-order features pervasively, 
and was an early inspiration for the present work of supporting reasoning over higher-order specifications in 
Abella. Twelf s meta-level is not a logic but a family of fully automated meta-theoretic tools that can check 
properties asserted about LF specifications. These tools include a means of checking that a given inductive 
type family defines a total relation, i.e., that it proves a theorem by induction. The major examples in this 
paper have also been done in Twelf to serve as a comparison of the two systems. 

To reason about higher-order specifications, Twelf uses user-provided context schemas built out of a 
simple regular language of context blocks. Schemas are similar to the dynamic context definitions from 
Sec.|4]and|5] but less expressive. The principal difference is that in a single run of the totality checker, the 
entire LF specification shares the same dynamic context; thus, in the /l-paths example of Sec. |5.2| the theorem 
is proved in a context that contains both bred and path assumptions. To obtain a level of modularity, Twelf 
uses a sophisticated system of context subsumption, wherein a proof in a smaller context schema can be 
imported into a larger schema. This is sometimes a benefit; in Q, we must prove any such subsumption 
lemmas manually. On the other hand, because Abella represents context definitions using logic, properties 
about context definitions can be proven using lemmas and used in a modular fashion, as we have done in 
the examples in Sec. [4] and [5] Twelf does not support any kind of reasoning about context schemas directly, 
which both limits the modularity and increases the verbosity of Twelf proofs. Finally, Twelf s meta-reasoning 
can only check Og theorems, whereas Q theorems are not limited to any fragment of intuitionistic logic. For 
instance, an interesting theorem about /l-paths that is possible to prove in Abella is that two /l-terms that have 
the same paths must y6-reduce to a common term; the statement of this theorem uses a quantifier alternation 
that is unavailable in Twelf s meta-reasoningj^ 
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A Meta-Theorems of HH 

The file below, |hh_meta . thin| gives formal proofs of the meta-theoretic properties of seq and sync (Thm. 



% Reasoning on multisets 



% The definition (remove GAD) asserts that G is D extended with A. 
Define remove : olist -> o -> olist -> prop by 

remove (A : : G) A G 
; remove (B : : G) A CB : : D) := remove GAD. 

% If G is an extension of D, then all members of D are also members of G. 
Theorem remove_incl : 

forall G D A B, remove G A D -> member B D -> member B G. 
induction on 1. intros. case HI. 

search. 

case H2. 
search. 

apply IH to H3 H4. search. 

% If G is D extended with A, then any member of G is either A or a 

% member of D. 

Theorem remove_charac : 

forall G A D B, remove G A D -> member B G -> A - B \/ member B D. 
induction on 1. intros. case HI Ckeep) . 
case H2. 
search, 
search, 
case H2. 
search. 

apply IH to H3 H4. case H5. 
search, 
search. 



% Types of formulas and terms 
Kind fm, tm type. 



% Terms are left abstract, while formulas have the following constructors 

Type atm tm -> fm. 

Type and fm -> fm -> fm. 

Type top fm. 

Type imp fm -> fm -> fm. 
Type all (tm -> fm) -> fm. 

% Contexts are lists of formulas, but instead of defining a type of 
% formula lists, we just reuse the olist type and keep things of 
% the form C$fm A) in them. In a polymorphically typed extension 
% of Abella, we can avoid this hack. 
Type $fm fm -> o. 

% We will need to induct on the structure of formulas, so we write 
% an inductive definition of all formulas. 
Define is_fm : fm -> prop by 
is_fm (atm A) 

is_fm (and A B) := is_fm A /\ is_fm B 
is_fm top 

is_fm Ciffip A B) := is_fm A /\ is_fm B 
is_fm Call A) := forall x, is_fm (A x) . 

% The focused sequent calculus consists of two phases: seq and sync 

% 

% sync L F A stands for L ; [F] | - A (F under focus on the left) 

% seq L G stands for L | - G 

Define 

seq : olist -> fm -> prop, 

sync : olist -> fm -> tm -> prop 

by 

seq L (atm A) := exists F, member (Sfm F) L /\ sync L F A 



seq L (and Gl G2) := seq L Gl /\ seq L G2 
seq L top 

seq L (imp F G) := seq ($fm F : : L) G 
seq L (all A) := nabla x, seq L (A x) 

sync L (atm A) A 

sync L (and Fl F2) A := sync L Fl A \/ sync L F2 A 
sync L (imp G F) A := seq L G /\ sync L F A 
sync L (all F) A := exists t, sync L (F t) A. 



% Note: the third argument to sync always represents an atom. 

% This is because the atomic formula P(tl tn) is represented as 

% (atm (P tl ... tn)) , where P has type (tm -> ... -> tm -> tm) . 



12 



Theorem Smonotone : 

Cforall L L' C, Cforall E, member E L -> member EL') -> seq L C -> seq L' C) 
A (forall L L' F A, Cforall E, member E L -> member E L') -> sync L F A -> sync L' FA), 
induction on 2 2. split, 
intros. case H2 (keep). 

apply IHl to HI H4. apply HI to H3. search. 

apply IH to HI H3. apply IH to HI H4. search. 

search. 

assert forall E, member E ($fm F : : L) -> member E (Sflii F :: L'). 

intros. case H4. search, apply HI to H5. search, 
apply IH to H4 H3. search, 
apply IH to HI H3. search, 
intros. case H2 (keep), 
search, 
case H3. 

apply IHl to HI H4. search. 

apply IHl to HI H4. search, 
apply IH to HI H3. apply IHl to HI H4. search, 
apply IHl to Hi H3. search. 

Split Smonotone as monotone_seq, monotone_sync . 

Theorem Sweakening : 

(forall L L' B G, remove L' B L -> seq L G -> seq L' G) 
A Cforall L L' B F A, remove L' B L -> sync L F A -> sync L' FA), 
split, 
intros . 

assert forall E, member E L -> member EL', intros. backchain remove_incl. 
backchain monotone_seq . 
intros . 

assert forall E, member E L -> member EL', intros. backchain remove_incl. 
backchain monotone_sync . 

Split Sweakening as weakening_seq , weakening_sync . 

Theorem member_inst : 

forall F L, nabla (n:tm), member (F n) (L n) -> forall t, member (F t) (L t) . 
induction on 1. intros. case HI. 
search . 

apply IH to H2. apply H3 with t = t. search. 

% The instantiation lemma 
Theorem Sinst : 

(forall L G, nabla (n:tm), seq (L n) (G n) -> forall t, seq (L t) (G t)) 
A (forall L F A, nabla (n:tm), sync (L n) (F n) (A n) -> forall t, sync (L t) (F t) (A t)). 
induction on 1 1. split, 
intros. case HI. 

apply IHl to H3 . apply member_inst to H2 . 

apply H4 with t - t. apply H5 with t = t. search, 
apply IH to H2. apply IH to H3. 

apply H4 with t = t. apply H5 with t = t. search, 
search. 

apply IH to H2. apply H3 with t = t. search, 
apply IH to H2. apply H3 with t = t. search, 
intros. case HI. 
search, 
case H2 . 

apply IHl to H3. apply H4 with t = t. search. 

apply IHl to H3. apply H4 with t = t. search, 
apply IH to H2. apply IHl to H3. 

apply H4 with t = t. apply H5 with t = t. search, 
apply IHl to H2 . apply H3 with t = t. search. 

Split Sinst as inst_seq, inst_sync. 

% The main cut-admissibility theorem. 
Theorem Scut : 

(forall L K F G, is_fm F -> 

seq K F -> remove L (Sfm F) K -> seq L G -> seq K G) 
A (forall L K F F' A, is_fm F -> 

seq K F -> remove L (Sfm F) K -> sync L F' A -> sync K F' A) 
A (forall LEA, is_fm F -> 

seq L F -> sync L F A -> seq L (atm A)). 

% We proceed by nested induction on: 
% 

% - the structure of the cut-formula, then 

% - the structure of the container derivation (i.e., the derivation 
% that contains the cut-formula as a hypothesis) . 
induction on 1 1 1. 
induction on 4 4 3 . split, 
intros. case H4 (keep). 

apply remove_charac to H3 H5. case H7. 
case HI (keep) . 
case H6. search. 
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case H6 (keep), case HIO. 
apply IH4 to HI H2 H3 Hll. 

case H2. apply IH2 to H8 H13 H12. search, 
apply IH4 to HI H2 H3 Hll. 
case H2. apply IH2 to H9 H14 H12. search, 
case H6. 
case H6. 
apply IH3 to HI H2 H3 HIO. 
apply IH4 to HI H2 H3 Hll. 
case H2 (keep) . 
apply IH to H8 H12 _ H14. 
apply IH2 to H9 H15 H13. search, 
case H6. 
apply IH4 to HI H2 H3 H9. 

case H2. apply inst_seq to Hll. apply H12 with t = t. 
apply H8 with x = t. 
apply IH2 to H14 H13 HIO. search, 
apply IH4 to HI H2 H3 H6. search, 
apply IH3 to HI H2 H3 H5 . 

apply IH3 to HI H2 H3 H6. search, 
search. 

assert remove ($fm Fl : : L) ($fin F) ($fm Fl : : K) . 

assert seq ($fm Fl : : K) F. backchain weakening_seq. 

apply IH3 to HI H7 H6 H5. search, 
apply IH3 to HI H2 H3 H5. search, 
intros. case H4 (keep), 
search, 
case H5. 

apply IH4 to HI H2 H3 H6. search, 
apply IH4 to HI H2 H3 H6. search, 
apply IH3 to HI H2 H3 H5 . 

apply IH4 to HI H2 H3 H6. search, 
apply IH4 to HI H2 H3 H5 . search, 
intros. case H3 (keep), 
search, 
case H4. 

case HI (keep), case H2 (keep), apply IH2 to H6 H8 H5. search, 
case HI (keep), case H2 (keep), apply IH2 to H7 H9 H5. search, 
case HI (keep) . case H2 (keep) . 
apply IH to H6 H4 _ H8 . 
apply IH2 to H7 H9 H5. search, 
case HI (keep) . case H2 (keep) . 
apply H5 with x = t. 

apply inst_seq to H6. apply H8 with t - t. 
apply IH2 to H7 H9 H4. search. 

Split Scut as cut, cut_commutative , cut_principal. 



B Translating Between Higher-Order and De Bruijn Representations 

debruijn. sig| — the hh signature 

sig debruijn. 

kind nat type. 

type z nat. 

type s nat -> nat. 

type add nat -> nat -> nat -> o. 

kind ty type, 
type b ty. 

type arr ty -> ty -> ty. 

kind tm type. 

type app tm -> tm -> tm. 

type abs (tm -> tm) -> tm. 

kind dtm type. 

type dapp dtm -> dtm -> dtm. 
type dabs dtm -> dtm. 
type dvar nat -> dtm. 

type dat nat -> ty -> o. 

type hodb tm -> nat -> dtm -> o. 

|debruijn.mod| — the program clauses for the De Bruijn translation 

module debruijn. 
add z C C. 

add (s A) B (s C) :- add ABC. 
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hodb (app M N) H (dapp DM DN) :- hodb M H DM, hodb N H DN. 
hodb Cabs R) H (dabs DR) :- 

pi x\ Cpi H'\ pi DX\ add H DX H' => hodb x H' (dvar DX)) => 
hodb (R X) Cs H) DR. 



debrui jn . thm — determinacy proofs 



Specification "debrui jn" . 



%% General property of member 

Theorem member_prune : forall E L, nabla (x:tm), 
member (E x) L -> exists F, E = y\F. 

induction on 1. intros. case HI. 
search. 

apply IH to H2. search. 

%% Properties of addition 

Define nat : nat -> prop by 
nat z ; 

nat (s X) := nat X. 

Define le ; nat -> nat -> prop by 
le X X ; 

le X (s Y) := le X Y. 



Theorem le_dec : forall X Y, 

le (s X) Y -> le X Y. 
induction on 1. intros. case HI. 

search. 

apply IH to H2. search. 

Theorem le_absurd : forall X, 

nat X -> le (s X) X -> false, 
induction on 1. intros. case HI. 

case H2. 

case H2. apply le_dec to H4. apply IH to H3 H5. 

Theorem add_le : forall ABC, 

{add A B C} -> le B C. 
induction on 1. intros. case HI. 

search. 

apply IH to H2. search. 

Theorem add_absurd : forall A C, 

nat C -> {add A (s C) C} -> false, 
intros. apply add_le to H2. apply le_absurd to HI H3. 

Theorem add_zero : forall A C, 

nat C -> {add A C C} -> A = z. 
intros. case H2 . 

search. 

case HI. apply add_absurd to H4 H3. 

% add is deterministic in its first argument 
Theorem add_detl : forall Al A2 B C, 

nat C -> {add Al B C} -> {add A2 B C} -> Al = A2 . 
induction on 2. intros. case H2 . 

apply add_zero to HI H3. search. 

case H3. 

case HI. apply add_absurd to H5 H4. 
case HI. apply IH to H6 H4 H5. search. 

% add is deterministic in its second argument 
Theorem add_det2 : forall A Bl B2 C, 

{add A Bl C} -> {add A B2 C} -> Bl - B2. 
induction on 1. intros. case HI. 

case H2. search. 

case H2. apply IH to H3 H4. search. 

%% Theorems specific to our translation 

Define ctx : olist -> nat -> prop by 
ctx nil z ; 
nabla x, 

ctx (Cpi H'\ pi DX\ add H DX H' => hodb x H' (dvar DX)) :: L) (s H) 
ctx L H. 

Define name : tm -> prop by 
nabla x, name x. 



Theorem ctx_nat : forall L H, 
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ctx L H -> nat H. 
induction on 1. intros. case HI. 
search . 

apply IH to H2. search. 

Theorem ctx_inv : forall E L H, 
ctx L H -> member E L -> 
exists X HX, 

E = pi H'\ pi DX\ add HX DX H' => hodb X H' (dvar DX) /\ 
name X /\ le Cs HX) H. 
induction on 1. intros. case HI. 
case H2. 
case H2 . 
search. 

apply member_prune to H4. apply IH to H3 H4. search. 

Theorem ctx_uniquel : forall L H X HI H2, 
ctx L H -> 

member (pi H'\ pi DX\ add HI DX H' => hodb X H' (dvar DX)) L -> 
member (pi H'\ pi DX\ add H2 DX H' => hodb X H' (dvar DX)) L -> 
HI = H2. 

induction on 2. intros. case H2. 
case H3. 

search, case HI. apply member_prune to H4. 
case H3. 

case HI. apply member_prune to H4. 
case HI. apply IH to H6 H4 H5. search. 

Theorem ctx_unique2 : forall L H XI X2 HX, 

ctx L H -> 

member (pi H'\ pi DX\ add HX DX H' => hodb XI H' (dvar DX)) L -> 
member (pi H'\ pi DX\ add HX DX H' => hodb X2 H' (dvar DX)) L -> 
XI = X2. 

induction on 2 . intros . case H2 . 
case H3. 
search. 

case HI. apply ctx_inv to H5 H4. apply ctx_nat to H5. 
apply le_absurd to H8 H7. 
case H3. 

case HI. apply ctx_inv to H5 H4. apply ctx_nat to H5. 

apply le_absurd to H8 H7. 
case HI. apply IH to H6 H4 H5. search. 

Theorem add_ignores_ctx : forall L H A B C, 

ctx L H -> {L I - add A B C} -> {add ABC}, 
induction on 2. intros. case H2. 

search. 

apply IH to HI H3. search, 
apply ctx_inv to HI H4. case H3. 



%9fi hodb is deterministic in its third argument 
%% ie, higher-order debruijn is unique 
Theorem hodb_det3 : forall L M Dl D2 H, 

ctx L H -> {L I- hodb M H Dl} -> {L |- hodb M H D2} -> Dl = D2 . 
induction on 2. intros. case H2 . 

case H3. apply IH to HI H4 H6. apply IH to HI H5 H7. search. 

apply ctx_inv to HI H7. case H6. case H8. 
case H3. apply IH to _ H4 H5. search. 

apply ctx_inv to HI H6. case H5. case H7. 
apply ctx_inv to HI H5. case H4. 
case H3. case H6. case H6. 

apply ctx_inv to HI H10. case H9. 
apply ctx_uniquel to HI H5 H10. 

apply add_ignores_ctx to HI H8. apply add_ignores_ctx to HI H13. 
apply add_det2 to H14 H15. search. 

Theorem hodb_det3_simple : forall M Dl D2, 

{hodb M z Dl} -> {hodb M z D2} -> Dl = D2. 
intros. apply hodb_det3 to _ HI H2. search. 



%% hodb is deterministic in its first argument 
%% ie, debruijn --> higher-order is unique 

%% proof is mostly the same as hodb_det3 except with fewer cases 
Theorem hodb_detl : forall L Ml M2 D H, 

ctx L H -> {L I - hodb Ml H D} -> {L | - hodb M2 H D} -> Ml = M2 . 
induction on 2 . intros . case H2 . 

case H3. apply IH to HI H4 H6. apply IH to HI H5 H7. search. 

apply ctx_inv to HI H7. case H6. 
case H3. apply IH to _ H4 H5. search. 

apply ctx_inv to HI H6. case H5. 
apply ctx_inv to HI H5. case H4. 

case H3. apply ctx_inv to HI HIO. case H9. 
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apply add_ignores_ctx to HI H8. apply add_ignores_ctx to HI H13. 
apply ctx_nat to HI. apply add_detl to H16 H14 H15. 
apply ctx_unique2 to HI H5 H10. search. 

Theorem hodb_detl_simple ; forall Ml M2 D, 

{hodb Ml z D} -> {hodb M2 z D} -> Ml = M2. 
intros. apply hodb_detl to _ HI H2 . search. 

It is instructive to compare this example to the Twelf development found in the Twelf wiki here: 

|http://twelf ■org/wiki/Concrete_representation| 

In Abella we have no need for an ancillary induction measure. Moreover, the translation hodb is manifestly 
a bijection. 



C Transitivity of Subtyping in System F, 



sub 



fsub.sigi — the hh signature 



sig fsub. 

kind tp type. 

type top tp. 

type arr tp -> tp -> tp. 

type all tp -> (tp -> tp) -> tp. 

type sub tp -> tp -> o. 



fsub . mod — the program clauses for subtyping 



module fsub. 
sub T top. 

sub (arr SI S2) (arr Tl T2) :- sub Tl SI, sub S2 T2. 
sub (all SI S2) (all Tl T2) 

sub Tl SI, 

pi a\ 

(pi U\ pi V\ sub a U => sub U V -> sub a V) -> 
sub a Tl => 
sub a a => 

sub (S2 a) (T2 a) . 



fsub . thiti — the proof of transitivity 



specification "fsub". 

Define name : tp -> prop by 
nabla n, name n. 

Define ctx : olist -> prop by 
ctx nil; 

nabla a, ctx ((sub a a) :: (sub a T) :: 

(pi U\ pi V\ sub a U => sub U V => sub a V) : : L) := ctx L. 

Define tp : tp -> prop by 
tp top ; 
nabla x, tp x ; 

tp (arr 11 T2) := tp 11 /\ tp T2 ; 

tp (all 11 T2) := tp 11 /\ nabla x, tp (12 x) . 

Theorem ctx_mem : forall L F, 

ctx L -> member F L -> exists A, name A /\ 
((F = sub A A) \/ 
(exists T, F = sub A T) \/ 

(F = pi U\ pi V\ sub A U => sub U V => sub A V)). 
induction on 1. intros. case HI. 
case H2. 

case H2. search, case H4. search, case H5. search, 
apply IH to H3 H6. search. 

Theorem ctx_sync : forall ALT, 

ctx L -> member (sub A T) L -> 

member (pi U\ pi V\ sub A U => sub U V => sub A V) L. 
induction on 1. intros. case HI. case H2. 

case H2. search, case H4. search, case H5. 

apply IH to H3 H6. search. 

Theorem ctx_sub_name : forall L D G, 

ctx L -> member D L -> {L, [D] | - G} -> exists A T, G = sub A T /\ name A. 
intros. apply ctx_mem to HI H2. case H5. 
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case H3. search, 
case H3. search, 
case H3. search. 



Theorem transitivity ; 
forall L S Q T, 

ctx L -> tp Q -> {L I- sub S Q} -> {L |- sub Q T} -> {L |- sub S T} . 
induction on 2. 
intros. case H3. 



% sub S top. 
case H4. search. 

apply ctx_sub_name to HI H6 H5. case H7. 

% sub (arr SI S2) (arr Tl T2) 
case H4. search. 

case H2. apply IH to HI H9 H7 H5. apply IH to HI HIQ H6 H8. search. 

apply ctx_sub_name to HI H8 H7. case H9. 

% sub Call SI S2) Call Tl T2) 
case H4. search. 

case H2. apply IH to HI H9 H7 H5. 

assert({pi U\pi V\sub nl U => sub U V => sub nl V, sub T4 Tl, sub nl T4 |- sub nl Tl}) . 
cut H12 with H7. cut H6 with H13. 
apply IH to _ HIQ H14 H8. search. 

apply ctx_sub_name to HI H8 H7. case H9. 

% backchain on the context 
apply ctx_mem to HI H6. case H8. 

% sub a a 

case H5 . search. 

% sub a Tl 

case H5 . apply ctx_sync to HI H6. search. 

% pi U\pi V\sub a U => sub U V => sub a V 
case H5. search. 

To compare with the Twelf implementation, see the file|pearl . elf |from ifTTl . 

D Preservation of /I- Paths by Beta Reduction and Joinability of /I- Terms with the 
Same Paths 

|bred. sigl — the hh signature 



sig breduce. 



kind tm type. 

type abs (tm -> tm) -> tm. 

type app tm -> tm -> tm. 

type beta (tm -> tm) -> tm -> tm. 



kind p type . 

type left, right p -> p. 

type bnd (p -> p) -> p. 

type bred tm -> tm -> o. 

type path tm -> p -> o. 



type bfree tm -> o. 



bred . mod — the program clauses for /^-reduction and paths 



module breduce. 



bred (abs M) (abs U) :- 

pi x\ bred x x -> bred (M x) (U x) . 
bred (app M N) (app U V) :- 

bred M U, bred N V. 
bred (beta R N) V :- 

pi x\ (pi u\ bred N u => bred x u) 
=> bred (R x) V. 

path (abs M) (bnd P) :- 

pi x\ pi p\ path X p => path (M x) (P p) . 

path (app M N) (left P) :- 

path M P. 
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path (app M N) (right P) :- 

path N P. 
path (beta R N) P ; - 

pi x\ 

(pi q\ path N q => path x q) -> 
path (R x) P. 

bfree (abs M) : - pi x\ bfree x => bfree (M x) . 
bfree (app M N) :- bfree M, bfree N. 

|bred. thin| — proofs of path preservation in both directions and joinabihty of /1-terms with the same paths 



specification "bred". 
Close tm, p. 

Define ctx2 : olist -> olist -> prop by 

ctx2 nil nil 
; nabla x p, 

ctx2 (bred x x : : G) (path x p : : D) := ctx2 G D 
; nabla x, 

ctx2 ((pi u\ bred N u -> bred x u) : : G) 

((pi q\ path N q -> path x q) : : D) :- 
ctx2 G D. 

Define name : tm -> prop by 
nabla n, name n. 

Define fresh : tm -> tm -> prop by 
nabla n, fresh n X. 

Define pnaime : p -> prop by 
nabla p, pname p. 

Theorem ctx2_mem_G : 
forall G D F, 
ctx2 G D -> member F G -> 
( (exists X, F = bred x x /\ name x) 

\/ (exists X N, F = (pi u\ bred N u => bred x u) /\ fresh x N)). 
induction on 1. intros. case HI. 
case H2. 
case H2. 

search, apply IH to H3 H4. case H5 . search, search, 
case H2. 

search, apply IH to H3 H4. case H5. search, search. 

Theorem ctx2_mem_D : 
forall G D F, 
ctx2 G D -> member F D -> 

( (exists x p, F = path x p /\ name x /\ pname p) 
\/ (exists X N, F = (pi q\ path N q => path x q) /\ fresh x N) ) . 
induction on 1. intros. case HI. 
case H2. 
case H2. 

search, apply IH to H3 H4. case H5. search, search, 
case H2. 

search, apply IH to H3 H4. case H5. search, search. 

Theorem ctx2_uniform : 

forall G D X, nabla n, 

ctx2 (G n) (D n) -> 

member (pi u\ bred X u -> bred n u) 

member (pi q\ path X q => path n q) 
induction on 1. intros. case HI. 

case H2. 

case H2. apply IH to H3 H4. search, 
case H2. apply IH to H3 H4. search, 
case H2. apply IH to H3 H4. search, 
case H2. search, apply IH to H3 H4. 

Theorem member_prune_D : 

forall G D E, nabla (n:tm), 
ctx2 G D -> 

member (E n) D -> exists F, E 
induction on 1. intros. case HI. 
case H2. 

case H2. search, apply IH to H3 
case H2. search, apply IH to H3 

Theorem member_D_determinate : 
forall G D X Y, nabla n, 
ctx2 (G n) (D n) -> 

member (pi q\ path X q => path n q) (D n) -> 
member (pi q\ path Y q => path n q) (D n) -> 



(G n) -> 
(D n). 



search. 



= x\ F. 

H4. apply IH to H3 H4. search. 
H4. apply IH to H3 H4. search. 
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X = Y. 

induction on 1. intros. case HI. 
case H2. 

case H2. case H3 . apply IH to H4 H5 H6. search, 
case H2. case H3. apply IH to H4 H5 H6. search, 
case H2. case H3. apply IH to H4 H5 H6. search, 
case H2. case H3. 

search, apply meraber_prune_D to H4 H5. apply member_prune_D to H4 H5. 



Theorem member_D_di scrim : 
forall G D X P, nabla n, 
ctx2 CG n) (D n) -> 

member (pi q\ path X q => path n q) (D n) -> 

member (path n P) (D n) -> 

false. 

induction on 1. intros. case HI. 
case H2 . 

case H2. case H3. apply IH to H4 H5 H6. 
case H2 . apply member_prune_D to H4 H5 . 
case H2. case H3 . apply IH to H4 H5 H6. 
case H3 . apply member_prune_D to H4 H5 . 

Theorem jump_D_invert : 
forall G D X P, nabla n, 
ctx2 (G n) (D n) -> 

member (pi q\ path X q => path n q) (D n) -> 
{ D n I - path nP}->{Dn| - path X P } . 
intros. case H3. 

apply ctx2_mem_D to HI H5. case H6. 

case H4. apply member_D_discrim to HI H2 H5. 

case H4. case H7. apply member_D_determinate to HI H2 H5. search. 

Theorem bred_ltr : 
forall G D M H P, 

ctx2 G D -> 

{ G I - bred M N } -> 

{ D I- path H P } -> { D I- path N P }. 
induction on 2 . 
intros. case H2 (keep), 
case H3. 

apply IH to _ H4 H5. search, 
apply ctx2_mem_D to HI H6. case H7. 
case H8. case H5. case H8. case H5. 
case H3 . 

apply IH to _ H4 H6. search, 
apply IH to _ H5 H6. search, 
apply ctx2_mem_D to HI H7. case H8. 
case H9. case H6. case H9. case H6. 
case H3 . 

apply IH to _ H4 H5. 
inst H6 with nl = Nl. 

assert {D I- pi q\ path Nl q => path HI q}. 
cut H7 with H8. search, 
apply ctx2_mem_D to HI H6. case H7. 
case H8. case H5 . case H8. case H5. 
apply ctx2_mem_G to HI H5 . case H6. 
case H7. case H4. search, 
case H7. case H4. 
assert {D nl |- path X P}. 
apply ctx2_uniform to HI H5. 
apply jump_D_invert to HI H9 H3. search, 
apply IH to HI H8 H9. search. 

Theorem bred_rtl : 
forall G D M H P, 
ctx2 G D -> 
{ G I- bred M N } -> 

{ D I - path N P } -> { D I - path MP}, 
induction on 2 . 
intros . case H2 (keep) . 
case H3 . 

apply IH to _ H4 H5 . search, 
apply ctx2_mem_D to HI H6. case H7. 
case H8. case H5. case H8. case H5. 
case H3. 

apply IH to _ H4 H6. search, 
apply IH to _ H5 H6. search, 
apply ctx2_mem_D to HI H7. case H8. 
case H9. case H6. case H9. case H6. 
assert {D, (pi q\ path Nl q path nl q) |- path N P}. 

apply IH to _ H4 H5 . search, 
apply ctx2_mem_G to HI H5. case H6. 
case H7. case H4. search, 
case H7. case H4. 
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apply IH to HI H8 H3. 

apply ctx2_uiiifonn to HI H5. search. 



% Two lambda terms must beta-reduce to a common term 
% if they have the same paths 

Define bfctx : olist -> olist -> prop by 
bfctx nil nil 

; nabla n p, bfctx (bfree n : : L) (path n p : : K) ;= bfctx L K. 



Theorem member_prune_path : forall E L, nabla Cx:p), 

member (E x) L -> exists F, E = y\F. 
induction on 1. intros. case HI. 

search . 

apply IH to H2. search. 

Theorem bfctx_memberl : forall X L K, 
bfctx L K -> member X L -> 

exists E F, X = bfree E /\ name E /\ member (path E F) K A pname F. 
induction on 1. intros. case HI. 
case H2 . 
case H2. 
search. 

apply IH to H3 H4. search. 

Theorem bfctx_member2 : forall X L K, 

bfctx L K -> member X K -> exists E F, X = path E F /\ name E A pname F. 
induction on 1. intros. case Hi. 

case H2. 

case H2. 
search. 

apply IH to H3 H4. search. 

Theorem member_path_unique : forall L K X Y F, 

bfctx L K -> member (path X F) K -> member (path Y F) K -> X = Y. 
induction on 2 . intros . case H2 . 

case H3. 
search. 

case HI. apply member_prune_path to H4. 
case H3. 

case HI. apply member_prune_path to H4. 
case HI. apply IH to H6 H4 H5. search. 

Theorem path_exists : forall L K M, 

bfctx L K -> {L I- bfree M} -> exists P, {K |- path M P}. 
induction on 2. intros. case H2. 

assert bfctx (bfree nl : : L) (path nl n2 : : K) . 
apply IH to H4 H3. search. 

apply IH to HI H3. search. 

apply bfctxjiemberl to HI H4. case H3. search. 

Theorem bfree_beta_absurd : forall L K R N, 

bfctx L K -> {L I- bfree (beta R N)} -> false, 
intros. case H2. 

apply bfctxjiemberl to HI H4. case H5. case H3. 

Theorem path_app : forall L K M N Y, 

bfctx L K -> {L I- bfree (app M H)} -> {L |- bfree Y} -> 
(forall P, {K I- path (app M N) P} -> {K |- path Y P}) -> 
exists YH YN, Y = app YM YN. 
intros . case H2 . 

apply path_exists to HI H5 . 

assert {K |- path (app M N) (left P)}. 
apply H4 to H8. 
case H9. 
search . 

apply bfree_beta_absurd to HI H3. 
apply bfctx_member2 to HI Hll. case H13. case HIS. 
apply bfctx_memberl to HI H6. case H5. case H7. 

Theorem path_abs : forall L K R Y, 

bfctx L K -> {L I- bfree (abs R)} -> {L |- bfree Y} -> 
(forall P, {K I- path (abs R) P} -> {K |- path Y P}) -> 
exists YR, Y = abs YR. 
intros . case H2 . 

assert bfctx (bfree nl : : L) (path nl n2 : : K) . 
apply path_exists to H6 H5 . 
assert {K |- path (abs R) (bnd P)}. 
apply H4 to H8. 
case H9. 
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search. 

apply bfree_beta_absurd to HI H3 . 
apply bfctx_member2 to HI Hll. case HIS. case H13. 
apply bfctxjiemberl to HI H6. case H5. case H7. 



Theorem bfree_sames : 
forall L K M N, 
bfctx L K -> 

{L I- bfree M} -> {L |- bfree N} -> 

(forall p, {K I- path M p} -> {K | - path N p}) -> 

H = N. 

induction on 2 . 

intros. case H2 (keep). 

5S M = (abs Ml) 

apply path_abs to HI H2 H3 H4. case H3. 

assert forall p, {K, path nl n2 |- path (Ml nl) p} -> 
{K, path nl n2 |- path (YR nl) p}. 

intros . 

assert {K |- path (abs Ml) (bnd p)}. 
apply H4 to H8. 
case H9. 
search. 

apply bfctx_raember2 to HI Hll. case H13. case H19. 

assert bfctx (bfree nl : : L) (path nl n2 : : K) . 
apply IH to H8 H5 H6 H7. search. 

apply bfctxjiemberl to HI H7. case H8. case H6. 

%n = (app Ml Nl) 

apply path_app to HI H2 H3 H4. case H3. 

% Prove Ml = YH 

assert forall p, {K |- path Ml p} -> {K |- path YM p}. 
intros . 

assert {K h path (app Ml Nl) (left p)}. 
apply H4 to HIS. 
case Hll. 
search. 

apply bfctx_member2 to HI H13. case H15. case H12. 
apply IH to HI H5 H7 H9. 

% Prove Nl = YH 

assert forall p, {K |- path Nl p} -> {K |- path YN p}. 
intros. 

assert {K |- path (app Ml Nl) (right p)}. 
apply H4 to Hll. 
case H12. 
search. 

apply bfctx_member2 to HI H14. case H16. case H13. 
apply IH to HI H6 H8 HIS. 

% Finish this case 
search. 

apply bfctxjiemberl to HI H8. case H9. case H7. 
9S M is a variable 

apply bfctx_memberl to HI H6. case H5. 
assert {K |- path M Fl}. 
apply H4 to HIS. case H9. 
case Hll . 

apply bfree_beta_absurd to HI H3 . 

apply bfctxjiember2 to HI H13. 

case H12. apply member_path_unique to HI H8 H13. search. 

Define brctx : olist -> olist -> prop by 

brctx nil nil 
; nabla x, 

brctx (bred x x : : L) (bfree x : : K) : = 
brctx L K 
; nabla x, 

brctx ((pi u\ bred N u => bred x u) : : L) K := 
brctx L K. 

Theorem brctxjiem_l : 

forall L K E, brctx L K -> member E L -> 
( (exists X, E = bred x x /\ name x) 

\/ (exists X N, E = (pi u\ bred N u => bred x u) /\ fresh x N)) . 
induction on 1. intros. case HI (keep), 
case H2 . 
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case H2. search. 

apply IH to H3 H4. case H5. 
search, search, 
case H2. search. 

apply IH to H3 H4. case H5. 
search, search. 



Theorem brctx_sync : 

forall L K, nabla x, brctx (L x) (K x) -> 

member (bred x x) (L x) -> 

member (bfree x) CK x) . 
induction on 1. intros. case HI. 
case H2. 

case H2. apply IH to H3 H4. search. 

case H2. search, apply IH to H3 H4. search. 

case H2. apply IH to H3 H4. search. 

case H2. apply IH to H3 H4. search. 

Theorem bred_makes_bfree : 
forall L K M U, 

brctx L K -> {L |- bred M U} -> {K |- bfree U}. 
induction on 2. intros. case H2 Ckeep) . 
apply IH to _ H3. search. 

apply IH to _ H3. apply IH to _ H4. search, 
apply IH to _ H3. search, 
apply brctx_mem_l to HI H4. case H5. 
case H3. case H6. 

apply brctx_sync to HI H4. search, 
case H3. case H6. apply IH to HI H7. search. 

Theorem same_paths_joinable : 
forall M N U V, 

(forall P, {path M P} -> {path N ?}) -> 
{bred M U} -> {bred N V} -> U = V. 
intros. 

apply bred_makes_bfree to _ H2. 
apply bred_makes_bfree to _ H3. 
backchain bf ree_s3imes . intros. 

apply bred_rtl to _ H2 H6. 

apply HI to H7. 

apply bred_ltr to _ H3 H8. search. 



|pat h. elfl — the development of path preservation (i.e., the equivalent of |bred_ltr| and rbred_rtr|above) 



carried out in Twelf. Note that Twelfs meta-logic cannot express the equivalent of me" same_paths_ 
[joinable theorem above, because it is not a H^j statement. 



A twelf proof for the presevation of paths under 

marked beta reductions in the simply typed lambda calculus 



% lambda terms 
tm : type . 

lam : (tm -> tm) -> tm. 

app : tm -> tm -> tm. 

beta : (tm -> tm) -> tm -> tm. 



% paths 

pth : type. 

left : pth -> pth. 

right: pth -> pth. 

bnd : (pth -> pth) -> pth. 

% beta reduction 

breduce : tm -> tm -> type. 



br-lam : breduce (lam M) (lam U) 

<- {x:tm} breduce x x -> breduce (M x) (U x) . 
br-app : breduce (app M N) (app U V) 

<- breduce M U 

<- breduce N V. 
br-beta: breduce (beta R N) V 

<- {x:tm}({u:tm} breduce N u -> breduce x u) 
-> breduce (R x) V. 
%block br-lam-blk : block {x:tm}{_:breduce x x}. 
%block br-beta-blk : some {N:tm} block 

{x: tm}{_: {u: tm} breduce N u -> breduce x u}. 
%worlds (br-lam-blk | br-beta-blk) (breduce ). 



% paths of terms 

path : tm -> pth -> type. 



p-lam : path (lam M) (bnd P) 

<- {x:tm}{p:pth} path x p -> path (M x) (P p) . 
p-appl: path (app M N) (left P) 
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<- path H P. 
p-appr: path (app H N) (right P) 

<- path N P. 
p-beta: path (beta R N) P 

<- {x:tra}({q:pth} path N q -> path x q) -> path (R x) P. 
Xblock p-lam-blk : block {x:tJn}{p:pth}{_:path x p}. 
Xblock p-beta-blk : some {N:tjn} block 

{x:tm}{_: {q:pth} path N q -> path x q}. 
%worlds (p-lam-blk | p-beta-blk) (path ). 

% beta reduction preserves the path (one direction) 
breduce-ltr : breduce M N -> path M P -> path N P -> type. 
%mode breduce-ltr +D1 +D2 -D3. 

% lambda abstraction 

- : breduce-ltr 

(br-lam Db : breduce (lam M) (lam U)) 
(p-lam Dp : path (lam M) (bnd P)) 
(p-lam Dpu : path (lam U) (bnd P)) 
<- {x:tin}{p:pth} 

{bx: breduce x x}{px:path x p} 
breduce-ltr bx px px -> 
breduce-ltr 

(Db x bx : breduce (M x) (U x)) 
(Dp X p px : path (M x) (P p)) 
(Dpu X p px : path (U x) (P p)). 

% application 

- : breduce-ltr 

(br-app Dbn Dbm : breduce (app M N) (app U V)) 
(p-appl Dpm : path (app M N) (left P)) 
(p-appl Dpu : path (app U V) (left P)) 
<- breduce-ltr Dbm Dpm Dpu. 

- : breduce-ltr 

(br-app Dbn Dbm : breduce (app M N) (app U V)) 
(p-appr Dpn : path (app M N) (right P)) 
(p-appr Dpv : path (app U V) (right P)) 
<- breduce-ltr Dbn Dpn Dpv. 

% marked beta reduction 

- : breduce-ltr 

(br-beta Db : breduce (beta R N) V) 
(p-beta Dp : path (beta R N) P) 

% apply Dv to arguments to get rid of the dependency on the hypotheses 
(Dv N ([q:pth] [p:path N q]p) : path V P) 
<- {x:tm} 

{bb:{u:tra} breduce N u -> breduce x u} 
{pb:{q:pth} path K q -> path x q} 
(% backchaining on the context 

{u:tm}{q:pth} 

{Dbn : breduce N u} 

{Dpn : path N q} 

{Dpq : path u q} 

breduce-ltr (bb u Dbn) (pb q Dpn) Dpq 
<- breduce-ltr Dbn Dpn Dpq) -> 
breduce-ltr (Db x bb) (Dp x pb) (Dv x pb). 

Xblock bltr-lam-blk : block 

{x:tm}{p:pth} 

{bx:breduce x x}{px:path x p} 
{_: breduce-ltr bx px px}. 
Xblock bltr-beta-blk : some {N:tm} block 

{x:tm} 

{bb;{u:tm} breduce N u -> breduce x u} 
{pb:{q:pth} path N q -> path x q} 
{- : 

{u:tm}{q:pth} 
{Dbn : breduce N u} 
{Dpn : path N q} 
{Dpq : path u q} 

breduce-ltr (bb u Dbn) (pb q Dpn) Dpq 
<- breduce-ltr Dbn Dpn Dpq} . 

%worlds (bltr-lam-blk | bltr-beta-blk) (breduce-ltr ) . 

%terminates D (breduce-ltr D ) . 

%covers (breduce-ltr +D1 +D2 -D3) . 
SStotal D (breduce-ltr D ) . 

% beta reduction preserves the path (another direction) 
breduce-rtl : breduce M N -> path N P -> path M P -> type. 
%mode breduce-rtl +D1 +D2 -D3. 

% lambda abstraction 
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- : breduce-rtl 

(br-lam Db : breduce (lam M) (lam U)) 
(p-lam Dp : path (lam U) (bnd P)) 
(p-lam Dp' : path (lam M) (bnd P)) 
<- {x:tm}{p:pth} 

{bx: breduce x x}{px:path x p} 

{_ : breduce-rtl bx px px} 

breduce-rtl (Db x bx) (Dp x p px) (Dp' x p px) 

% application 

- : breduce-rtl 

(br-app Dbn Dbm : breduce (app N N) (app U V)) 
(p-appl Dpu : path (app U V) (left P)) 
(p-appl Dpm : path (app M N) (left P)) 
<- breduce-rtl Dbm Dpu Dpm. 

- : breduce-rtl 

(br-app Dbn Dbm : breduce (app M N) (app U V)) 
(p-appr Dpv : path (app U V) (right P)) 
(p-appr Dpn : path (app M N) (right P)) 
breduce-rtl Dbn Dpv Dpn. 

% marked beta reduction 

- : breduce-rtl 

(br-beta Db : breduce (beta R N) V) 
(Dpv : path V P) 

(p-beta Dpr : path (beta R N) P) 
<- {x:tm} 

{bb:{u;tm} breduce N u -> breduce x u} 
{pb:{q:pth} path N q -> path x q} 
(% backchaining on the context 

{u:tm}{p:pth} 

{Dpp: path u p} 

{Dbn : breduce N u} 

{Dpn : path H p} 

breduce-rtl (bb u Dbn) Dpp (pb p Dpn) 
<- breduce-rtl Dbn Dpp Dpn) -> 
breduce-rtl (Db x bb) Dpv (Dpr x pb) . 

Xblock brtl-lam-blk : block 
{x:tm}{p:pth} 

{bx: breduce x x}{px:path x p} 
{_ : breduce-rtl bx px px}. 
Xblock brtl-beta-blk : some {N:tm} block 
{x : tm} 

{bb:{u:tm} breduce N u -> breduce x u} 
{pb:{q:pth} path N q -> path x q} 
{- : 

{u:tm}{p:pth} 
{Dpp: path u p} 
{Dbn : breduce N u} 
{Dpn : path H p} 

breduce-rtl (bb u Dbn) Dpp (pb p Dpn) 
<- breduce-rtl Dbn Dpp Dpn} . 
%worlds (brtl-lam-blk | brtl-beta-blk) (breduce-rtl _ 
%terminates D (breduce-rtl D _ _) . 
%covers (breduce-rtl +D1 +D2 -D3) . 
SStotal D (breduce-rtl D ). 



